subject:"trust chain building for X509_verify

Re: trust chain building for X509_verify_cert

2012-06-06 Thread Vladimir Belov



His code WORKS fine with OpenSSL library initialization. I checked.
The verification failed because OpenSSL couldn’t find digest algorithm.
Special error checking isn't needed now, the reason is the absence of 
OpenSSL_add_all_algorithms function or similar.

---
From: Dave Thompson
Sent: Thursday, June 07, 2012 5:43 AM
To: openssl-users@openssl.org
Cc: 'Alexander Kirschner'
Subject: RE: trust chain building for X509_verify_cert

From: owner-openssl-us...@openssl.org On Behalf Of Arthur Spitzer
Sent: Tuesday, 05 June, 2012 04:48



I need to verify a X.509 certificate against a self-signed X.509 CA,
both certificates are in PEM-format. Doing this on the command line
works so far: 
Right now I am working on a small piece of code that is supposed to
do the same from C++ using the X509_verify_cert function.



The problem is: The verification always fails with error code 7

("signature invalid"). I already tried three different attempts

(documented in the attached cpp file) to build the trust chain,
with the same result.


verify error 7 isn't a chain building problem, it's an error
verifying the signature (on the cert, against the parent).

http://www.openssl.org/support/faq.html#PROG6 tells you to
do ERR_print_errors_fp (or equivalent) which says 0D0C50A1, and
http://www.openssl.org/support/faq.html#PROG7 tells you to
ERR_load_crypto_strings (or equivalent, e.g. for SSL apps use
SSL_load_error_strings) which says ...:unknown message digest algorithm
and http://www.openssl.org/support/faq.html#PROG8
tells you OpenSSL_add_all_algorithms (or equivalent).


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org 


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: trust chain building for X509_verify_cert

2012-06-06 Thread Dave Thompson

>From: owner-openssl-us...@openssl.org On Behalf Of Arthur Spitzer
>Sent: Tuesday, 05 June, 2012 04:48

>I need to verify a X.509 certificate against a self-signed X.509 CA, 
>both certificates are in PEM-format. Doing this on the command line 
>works so far: 
>Right now I am working on a small piece of code that is supposed to 
>do the same from C++ using the X509_verify_cert function.

>The problem is: The verification always fails with error code 7 
("signature invalid"). I already tried three different attempts 
>(documented in the attached cpp file) to build the trust chain, 
>with the same result.

verify error 7 isn't a chain building problem, it's an error 
verifying the signature (on the cert, against the parent).

http://www.openssl.org/support/faq.html#PROG6 tells you to 
do ERR_print_errors_fp (or equivalent) which says 0D0C50A1, and 
http://www.openssl.org/support/faq.html#PROG7 tells you to 
ERR_load_crypto_strings (or equivalent, e.g. for SSL apps use 
SSL_load_error_strings) which says ...:unknown message digest algorithm 
and http://www.openssl.org/support/faq.html#PROG8
tells you OpenSSL_add_all_algorithms (or equivalent).


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: trust chain building for X509_verify_cert

2012-06-06 Thread Bruce Stephens

Arthur Spitzer 
writes:

[...]

> The problem is: The verification always fails with error code 7
> (“signature invalid”). I already tried three different attempts
> (documented in the attached cpp file) to build the trust chain, with
> the same result.
>
> The relevant source code (certificates as char arrays included in the
> cpp) and both certificates are attached. I would be very grateful if
> you could give me a hint. Right now I am a little lost.

You don't seem to be calling OpenSSL_add_all_algorithms() (or adding any
algorithms).


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: trust chain building for X509_verify_cert

2012-06-06 Thread Vladimir Belov



Hi, Arthur.

The verification always fails because OpenSSL can’t find digest algorithm. You(as I just now) forgot about OpenSSL 
initialization. You must add at the beginning of the main function next code:


//SSLeay library init (libcrypto)
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();


There are another variants of initialization(if will be necessary):
//SSL library init(libssl)
ERR_load_SSL_strings();
SSL_library_init();

//OpenSSL library init (both libcrypto and libssl)
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();


--
From: Arthur Spitzer
Sent: Tuesday, June 05, 2012 12:48 PM
To: openssl-users@openssl.org
Cc: Alexander Kirschner
Subject: trust chain building for X509_verify_cert

Hi,

I need to verify a X.509 certificate against a self-signed X.509 CA, both certificates are in PEM-format. Doing this on 
the command line works so far:


openssl verify -CAfile caCertificate.pem certificate.pem
certificate.pem: OK

The version of OpenSSL is: 1.0.0j-fips 10 May 2012.

Right now I am working on a small piece of code that is supposed to do the same from C++ using the X509_verify_cert 
function.


The problem is: The verification always fails with error code 7 (“signature invalid”). I already tried three different 
attempts (documented in the attached cpp file) to build the trust chain, with the same result.


The relevant source code (certificates as char arrays included in the cpp) and both certificates are attached. I would 
be very grateful if you could give me a hint. Right now I am a little lost.


Thanks in advance & Best regards,

Arthur


Dipl.-Math. Arthur Spitzer, Software Architect
Phone: +49.89.45 23 47 - 260


jambit Software Development & Management GmbH
Erika-Mann-Str. 63, 80636 München
Phone: +49.89.45 23 47-0 Fax: +49.89.45 23 47-70

http://www.jambit.com where innovation works

Geschäftsführer: Peter F. Fellinger, Markus Hartinger
Sitz: München; Registergericht: München, HRB 129139

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

trust chain building for X509_verify_cert

2012-06-05 Thread Arthur Spitzer

Hi,

I need to verify a X.509 certificate against a self-signed X.509 CA, both 
certificates are in PEM-format. Doing this on the command line works so far:
openssl verify -CAfile caCertificate.pem certificate.pem
certificate.pem: OK
The version of OpenSSL is: 1.0.0j-fips 10 May 2012.

Right now I am working on a small piece of code that is supposed to do the same 
from C++ using the X509_verify_cert function.

The problem is: The verification always fails with error code 7 (“signature 
invalid”). I already tried three different attempts (documented in the attached 
cpp file) to build the trust chain, with the same result.

The relevant source code (certificates as char arrays included in the cpp) and 
both certificates are attached. I would be very grateful if you could give me a 
hint. Right now I am a little lost.

Thanks in advance & Best regards,

Arthur


Dipl.-Math. Arthur Spitzer, Software Architect
Phone: +49.89.45 23 47 - 260


jambit Software Development & Management GmbH
Erika-Mann-Str. 63, 80636 München
Phone: +49.89.45 23 47-0 Fax: +49.89.45 23 47-70

http://www.jambit.com where innovation works

Geschäftsführer: Peter F. Fellinger, Markus Hartinger
Sitz: München; Registergericht: München, HRB 129139

#include 
#include 
#include 
#include 
#include 

#include 
#include 
#include 


#define nullptr 0

const char* certificateAsPem = "-BEGIN CERTIFICATE-\n"
"MIIGyDCCBLCgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBnTELMAkGA1UEBhMCREUx\n"
"EzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTEVMBMGA1UE\n"
"CgwMU29tZSBDb21wYW55MRgwFgYDVQQLDA9Tb21lT2ZmaWNlIFVuaXQxEzARBgNV\n"
"BAMMClRydXN0IFJvb3QxHzAdBgkqhkiG9w0BCQEWEG1haWxAZXhhbXBsZS5jb20w\n"
"HhcNMTIwNjA0MTUxMTQ2WhcNMzIwNjA0MTUxMTQ2WjCBpjELMAkGA1UEBhMCREUx\n"
"EzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTEVMBMGA1UE\n"
"CgwMU29tZSBDb21wYW55MRgwFgYDVQQLDA9Tb21lT2ZmaWNlIFVuaXQxHDAaBgNV\n"
"BAMME0RldmljZSBNYW51ZmFjdHVyZXIxHzAdBgkqhkiG9w0BCQEWEG1haWxAZXhh\n"
"bXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC/s2Hnww8o\n"
"wtqvj5zrU9R5vmERsOrwMblHBwgD8PXOnAxSVTFYX13hn2NLLksnFdjwK3nsokj/\n"
"Y8Mg1hVX/iHy9gzt5wBnfu5EqUAY8d+8Du4leHM0AT3Q5RFkLlKukEM8/Ct2HnJa\n"
"P8KKeI80oy/xEZsE7KkLWb6I9BLnIvh8eHggylPJdbAamnxMUQAwddSIvSbZ+uTx\n"
"FCWgr/S0oNxByfc5BEKQF5O+GWti9FzgkpOoKG8LtMhPUL0srkY/5gJNJLFZa799\n"
"murYwHbqw0/m8CE58/sssVSu9DyiuX1SCf4tI69+tzNqs5OJCjQw5yM6XsqikCAu\n"
"OUdpJ6UdVev+BwNYkZxaohVkFF0jNIJj8PFJS3b7F/eZCOFWajFo9rEC9cVlfjtH\n"
"KeA4NwS2raeR619N5Zjs2uujb5/hM25dLBErKHokUd/PTF+VUaZhnt0aPtXasxoW\n"
"/+o1v2dHf/wdKFtVMKS4uLT40/RMJy24XTi4HKotgf/hna9j8eDQhEixyoRfAtHF\n"
"ojWZ/kPlmm0RNLHB/kcOVMuR54IVxoF8CoF/R6N8GinycY/WUKog4R0GoRlvkQ03\n"
"gHdPLayQObZ+v7ctCsJAjdLnOVGk5vd/byJJykOrZFZoPPEH8nXnaZa2JjX925eB\n"
"8dHK7irm4dATypFT61LNTuUGLzK87PJJJwIDAQABo4IBBjCCAQIwHQYDVR0OBBYE\n"
"FKSNp9W2sRGrSQV44dm2Ohf5fK+WMIHSBgNVHSMEgcowgceAFHsLSJuDRmeHPGuq\n"
"LZeOm4/lUXZtoYGjpIGgMIGdMQswCQYDVQQGEwJERTETMBEGA1UECAwKU29tZS1T\n"
"dGF0ZTESMBAGA1UEBwwJU29tZS1DaXR5MRUwEwYDVQQKDAxTb21lIENvbXBhbnkx\n"
"GDAWBgNVBAsMD1NvbWVPZmZpY2UgVW5pdDETMBEGA1UEAwwKVHJ1c3QgUm9vdDEf\n"
"MB0GCSqGSIb3DQEJARYQbWFpbEBleGFtcGxlLmNvbYIJAKOelaQzPSd1MAwGA1Ud\n"
"EwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggIBAIXKXsrv9xbU87H5J0z+PRWUwYHh\n"
"jd1NxmjxT31UT3BhSGbGurNK62q5Z9GFQNci7ceHidlS6+eeLOyAyQyDnnwBUt4H\n"
"llJeO1RD8KL2J5pc5DfOnrQrMA+jbQlOtdkyCynWm0wvz25oPFNNDPir0vD/epqe\n"
"px12oDW6DO3F+z6nuIWNlO9t9096KT3SAfMkGt9Linl364FDgXkbWRZiActCAj0/\n"
"sY7WOpqJVG8Yz+34VKaZRLMalDnopMSf9PZgNK37vwSJHtptZ0+IvuIQJ1tBRO3B\n"
"zS2rqmrvTZ4bDExtzYI4T2+moACC6pO8Fkolfs9otm/8iWhPHZEAreGHOPx+0kC8\n"
"MONtbcnNAhjXUGVruYhKMUhjIMETZpFI7eCB54FJ7+jyOZ/l9Lojh/GNgPzY1ZwD\n"
"RDCCbbQB3tv5EPHqtKLVKVqidmTiNvRcBJ6OxDxBOI4uK3IUFDUkiwlGfkT0I1tL\n"
"leTo65zFHbAnOHgEhTzJtroqjWSI/slK7U0gcmI52K6BvlI6xLuOgTtpwLBWdvLg\n"
"Z79WeJuoPpwhCQDScZTVw4ox++1v7KcVxJxaoF8+KNCMN1wVGTEgNLKFuHXamCSF\n"
"ekOi0E31PxclHe95hQXNFAxcdlPrIxyTzKPKbKl8ePKOagAIRv/CXkCfFjJ4P/rr\n"
"+rWi1kvr4B5x3UF3\n"
"-END CERTIFICATE-\n";

const char* caCertificateAsPem = "-BEGIN CERTIFICATE-\n"
"MIIGxzCCBK+gAwIBAgIJAKOelaQzPSd1MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD\n"
"VQQGEwJERTETMBEGA1UECAwKU29tZS1TdGF0ZTESMBAGA1UEBwwJU29tZS1DaXR5\n"
"MRUwEwYDVQQKDAxTb21lIENvbXBhbnkxGDAWBgNVBAsMD1NvbWVPZmZpY2UgVW5p\n"
"dDETMBEGA1UEAwwKVHJ1c3QgUm9vdDEfMB0GCSqGSIb3DQEJARYQbWFpbEBleGFt\n"
"cGxlLmNvbTAeFw0xMjA2MDQxNTExNDZaFw0zMjA2MDQxNTExNDZaMIGdMQswCQYD\n"
"VQQGEwJERTETMBEGA1UECAwKU29tZS1TdGF0ZTESMBAGA1UEBwwJU29tZS1DaXR5\n"
"MRUwEwYDVQQKDAxTb21lIENvbXBhbnkxGDAWBgNVBAsMD1NvbWVPZmZpY2UgVW5p\n"
"dDETMBEGA1UEAwwKVHJ1c3QgUm9vdDEfMB0GCSqGSIb3DQEJARYQbWFpbEBleGFt\n"
"cGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKIjaVMd5rP8\n"
"48Wi4x7gU01ytoep+ewno5DoB4BrLsINIpGwqg6z3d9o/mQdEdHSHlBhoDjb7TCc\n"
"HsRZtinuHyna9F/BRNEPAUaT4MpHR1t4CWbBxtaIE4+odSkbZRM5Z8qIX2igW0Tk\n"
"NocOiT+KLy3rlzEyHZF3pRkZ9XBes/u3f6rlBPMIUZ/ZOOtV3PlXuTWDw9DIcTDm\n"
"FqUY/z40ZZOV5g8I1c54ZkwT0dAZXXXqWA5GPtnsyYybYL4Iam6C2QMYql60WHHL\n"
"xHm4eGkxL8Dz7pAkYKTo/oMZjWXncIIPx/GVomQoyQq4S1M41PSrWyQGVkY+/gJP\n"

Re: trust chain building for X509_verify_cert

RE: trust chain building for X509_verify_cert

Re: trust chain building for X509_verify_cert

Re: trust chain building for X509_verify_cert

trust chain building for X509_verify_cert

5 matches

Site Navigation

Mail list logo

Footer information